Project

General

Profile

Feature #1069

Unattended install behind firewall and built status

Added by NoName NoSurname about 11 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Category:
Unattended installations
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Hello,

It would be nice if we can build machines behind firewall. The problem is that, today, the Kickstart will send, at the end, a wget "built" information to foreman server. But if the machine is behind a firewall, foreman will not know from who this request come as he only see the FW IPs.

Is that possible ?

Thanks


Related issues

Related to Smart Proxy - Feature #969: Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)Closed2011-06-09
Has duplicate Foreman - Bug #1059: Post Centos install build information to foreman not wokringDuplicate2011-07-21

Associated revisions

Revision 81159d4b (diff)
Added by Greg Sutcliffe almost 10 years ago

Use tokens for discovery of host identity during installation

- fixes #1069
- fixes #1720
- refs #969

History

#1 Updated by Corey Osman about 11 years ago

I dont' know much about the provisioning aspect of foreman but it seems the following URL works great when foreman is on the same network.

http://foreman:3000/unattended/built (IP is inspected to verify build was successful)

However, in situations where NAT is used I think we should be relying on a url scheme rather than inspected IP packets.
This method would allow for any system in any network to send the built ack to foreman with worrying about NAT.

http://foreman:3000/unattended/fqdn/built

#2 Updated by Ohad Levy about 11 years ago

Corey Osman wrote:

However, in situations where NAT is used I think we should be relying on a url scheme rather than inspected IP packets.
This method would allow for any system in any network to send the built ack to foreman with worrying about NAT.

My main concern here is security... since this is a non authenticated call.

I'm more then open for suggestion of how to identify the requesting machine...

#3 Updated by Marcello de Sousa about 11 years ago

Following the same line as suggested in #969 - Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)

We would have to figure out exactly how, but the client server should never really need to contact Foreman directly (I want to have my Foreman firewalled) and IMHO this "Built acknoledgement" should also be moved to the proxy .

#4 Updated by Corey Osman almost 11 years ago

well i would do something like this: wget -q -O /dev/null --no-check-certificate https://foreman/unattended/built/$UUID
where $UUID is a random string shared with the client at the time the provision file is generated. So in the provision file the wget -q -O /dev/null --no-check-certificate https://foreman/unattended/built/$UUID line would be unique each time.

This would help with not relying on a specific IP to be present and instead a hard coded Mac address and UUID.

#5 Updated by Ohad Levy about 10 years ago

we can simply use a unique secure uuid to identify the system, very similar to how puppet certnames work.

#6 Updated by Ohad Levy almost 10 years ago

  • Category set to Unattended installations
  • Assignee set to Greg Sutcliffe
  • Target version set to 1.1

#7 Updated by Anonymous almost 10 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF